Vendors Forge Web Services Security Group

UPDATED: Purveyors of Web services are so concerned with security
that they have formed a technical committee to improve the work of the
WS-Security standard created by OASIS.

Microsoft, IBM, BEA Systems and other top software makers will lead Web
Services Secure Exchange (WS-SX), a group to improve the way users safely
exchange SOAP messages for Web services transactions. WS-SX
will also define security policies for those messages.


WS-SX is meant to build upon specs for WS-SecurityPolicy (WS-SP), WS-Trust
and WS-SecureConversation (WS-SC).


WS-Trust describes a framework for managing trust relationships between
parties exchanging information. WS-SecureConversation provides a secure
context for groups to exchange multiple messages without re-authenticating.
WS-SecurityPolicy defines general security policies for services.


Ari Bixhorn, director of Web services strategy for Microsoft, said WS-SX has
been in the plans as an add-on to WS-Security since day one.


“We had to lay the foundation with WS-Security first and then add this
additional functionality on top of it,” Bixhorn said in an interview.


While WS-Security provides a baseline for secure Web services communication,
WS-Trust, WS-SP, WS-SC and now WS-SX provide long-running, secure Web
services conversations. They also allow for Web services to expose their
security requirements in a way that other Web services can understand.


“If I build a Web service, I want other people to communicate with it,”
Bixhorn said. “So I need to be able to express what my security requirements
for that Web service would be, such as the token type required and protocol
requirements.


“Once I’ve established secure communication between Web services,
SecureConversation allows me to continue a long-running Web service
communication in a secure fashion.”


The WS-SX group will first convene in December under the auspices of OASIS.


Web services development continues to chug along, with major, medium-sized
and small companies all clamoring for pieces of the multi-billion-dollar Web
services and service-oriented architecture (SOA) pie.


Security was long considered one of the stumbling blocks for the
proliferation and facilitation of Web services.


One of the concerns going back four years or so was that Microsoft, IBM and
other competitors in the software space would not be able to put aside their
differences to improve Web services security, interoperability and
management.


But Microsoft and IBM have never been closer, working on various aspects of
WS-Security and other core tenets in the WS-* canon fathered by OASIS.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web